[00:01.030 --> 00:04.210]  Hey everyone, and welcome to Identity Crisis,
[00:04.210 --> 00:07.190]  the mad rise of online account opening fraud.
[00:07.190 --> 00:09.750]  My name is Yuri, and I'm Chief Cyber Officer
[00:09.750 --> 00:12.670]  and Co-Founder at BioCatch.
[00:12.990 --> 00:16.730]  We are at an identity crisis point.
[00:17.350 --> 00:21.550]  If you were asking credit card companies and banks
[00:21.690 --> 00:24.970]  a few years ago about account opening fraud,
[00:24.970 --> 00:28.150]  they would say, yeah, it's a kind of a minor inconvenience.
[00:28.150 --> 00:30.230]  That's not their reaction nowadays.
[00:30.770 --> 00:33.770]  It's getting to be a tidal wave.
[00:34.010 --> 00:36.730]  This is from Gartner a few years ago.
[00:36.730 --> 00:39.830]  You can see things like account takeover fraud,
[00:39.830 --> 00:42.970]  payment fraud, these are the main areas of concern
[00:42.970 --> 00:46.350]  for risk and security management.
[00:46.470 --> 00:51.110]  But there's one thing that tops all of these concerns,
[00:51.110 --> 00:55.710]  and that's new account synthetic or stolen identity fraud.
[00:55.710 --> 00:58.350]  So it is becoming the number one concern
[00:59.290 --> 01:03.990]  regarding fraud in financial institutions.
[01:04.460 --> 01:06.370]  Another interesting trend is to see
[01:06.370 --> 01:10.710]  what sort of information financial criminals
[01:10.710 --> 01:12.830]  are stealing these days.
[01:12.830 --> 01:15.010]  It used to be credit card information.
[01:15.010 --> 01:18.910]  That was the top priority for financial cyber criminals.
[01:18.910 --> 01:21.770]  But now the number one data element
[01:21.770 --> 01:26.530]  is social security number, which is an identity element.
[01:26.530 --> 01:30.290]  And in fact, identity is becoming a commodity.
[01:30.290 --> 01:32.270]  It's traded in the dark web,
[01:32.810 --> 01:36.990]  and every American citizen's records
[01:37.670 --> 01:41.190]  have already been stolen several times over.
[01:41.730 --> 01:43.970]  If we can look at this list, for example,
[01:43.970 --> 01:47.270]  it shows all sorts of data breaches.
[01:47.570 --> 01:51.270]  Many of those are related to identity.
[01:51.870 --> 01:53.290]  Specifically, if we talk about
[01:53.290 --> 01:55.430]  the big credit reference agency,
[01:55.430 --> 01:56.730]  the big credit bureaus,
[01:57.790 --> 02:01.350]  data aggregators that have been hacked over the years,
[02:01.350 --> 02:06.230]  and this fuels this economy of account opening fraud.
[02:06.270 --> 02:08.370]  Now, the industry is fighting back,
[02:08.370 --> 02:11.690]  realizing that good old KYC,
[02:11.690 --> 02:14.590]  know your customer, is basically dead,
[02:14.590 --> 02:17.090]  and long live next generation data.
[02:17.190 --> 02:19.350]  So it used to be about what you know
[02:19.350 --> 02:22.510]  and matching all of the information about the user,
[02:22.510 --> 02:25.730]  looking at the data that the user provides
[02:25.730 --> 02:27.830]  and seeing that it all stacks,
[02:27.830 --> 02:31.530]  and it's what the records show.
[02:32.190 --> 02:34.990]  But now we have additional data to look at.
[02:34.990 --> 02:38.330]  For example, what you have, which is user resources,
[02:38.330 --> 02:41.350]  and what you do, which is your digital footprint,
[02:41.350 --> 02:45.150]  and what you are, user behavior, that behavior biometrics.
[02:45.250 --> 02:48.190]  So a couple of examples for each of those categories.
[02:48.210 --> 02:51.950]  Again, historically, this would be KYC data,
[02:52.360 --> 02:56.770]  residence, license information, credit history information.
[02:57.430 --> 03:01.650]  Those type of data points are already in the wrong hands.
[03:01.650 --> 03:04.410]  And when someone, a cyber criminal,
[03:04.410 --> 03:05.930]  is doing account opening fraud,
[03:05.930 --> 03:08.110]  they have access to all of this.
[03:08.910 --> 03:12.670]  So therefore, a lot of financial institutions
[03:13.000 --> 03:15.190]  and other related industries
[03:15.580 --> 03:19.610]  have started to untap additional lines of defense.
[03:19.610 --> 03:20.850]  Starting with device,
[03:20.850 --> 03:25.010]  this has been something that the industry started to adopt
[03:25.550 --> 03:28.110]  about 10 years ago, 15 years ago.
[03:28.690 --> 03:30.670]  What sort of device are you coming from?
[03:30.670 --> 03:32.730]  What's the reputation of that device?
[03:32.730 --> 03:35.410]  Information about your location,
[03:35.410 --> 03:38.290]  information about your phone and phone line.
[03:39.090 --> 03:41.610]  More recently, what are you doing?
[03:41.610 --> 03:43.310]  So what's your digital footprint?
[03:43.310 --> 03:45.770]  Any kind of social media reputation that you have,
[03:45.770 --> 03:49.870]  email reputation, open source analysis on your identity.
[03:49.870 --> 03:52.750]  And more recently, behavioral biometrics.
[03:53.170 --> 03:55.910]  These are different types of analysis.
[03:55.910 --> 03:58.810]  For example, if you're opening an account,
[03:58.810 --> 04:02.290]  you should be familiar with the data that you're providing.
[04:02.290 --> 04:04.230]  It's your own personal information.
[04:04.250 --> 04:05.390]  You should not be familiar
[04:05.390 --> 04:06.790]  with the process of account opening
[04:06.790 --> 04:08.950]  because, hey, you've just opened an account.
[04:09.150 --> 04:10.950]  A criminal is gonna be the opposite.
[04:10.950 --> 04:13.350]  They're gonna be very familiar with the process,
[04:13.350 --> 04:14.990]  but not familiar with the data.
[04:14.990 --> 04:17.370]  And that's the sort of analysis
[04:17.370 --> 04:20.630]  that behavioral biometrics is now providing.
[04:21.350 --> 04:23.270]  So behavioral biometrics,
[04:23.270 --> 04:26.190]  you kind of heard about behavioral biometrics before,
[04:26.190 --> 04:28.910]  but more in the context of profiling.
[04:29.030 --> 04:31.050]  So the idea of behavioral biometrics,
[04:31.050 --> 04:33.350]  when it actually started,
[04:33.350 --> 04:37.150]  was to create a profile of a regular user behavior
[04:37.150 --> 04:39.090]  and then watch for anomalies.
[04:39.090 --> 04:40.930]  This is a classic example.
[04:40.930 --> 04:44.190]  You see someone that logs in
[04:44.190 --> 04:46.930]  and then interacts with their online banking application.
[04:46.930 --> 04:50.330]  What you see on the screen is the person's mouse motion.
[04:50.730 --> 04:53.150]  These are several sessions, several pages,
[04:53.150 --> 04:55.650]  but the mouse motion is basically the same.
[04:55.650 --> 04:57.450]  So that's how you create a profile
[04:57.450 --> 05:00.270]  of the regular user behavior.
[05:00.270 --> 05:03.110]  You can use keyboard analysis.
[05:03.110 --> 05:05.330]  You can analyze mouse motion.
[05:05.330 --> 05:07.610]  If the user is operating on a mobile device,
[05:07.610 --> 05:11.250]  you're gonna look at accelerometer, gyro, and touch data.
[05:11.350 --> 05:13.370]  The idea is to create a baseline
[05:13.820 --> 05:15.670]  and then watch for anomalies.
[05:15.670 --> 05:18.870]  In this specific case, this account was compromised.
[05:18.870 --> 05:21.330]  The user provided the credentials to a criminal,
[05:21.330 --> 05:23.390]  and now the criminal is accessing the account.
[05:23.390 --> 05:26.570]  You're gonna see a very different type of behavior.
[05:26.850 --> 05:30.210]  So now it's not the same mouse motion.
[05:30.210 --> 05:32.690]  There's a strange bump in the center of the motion.
[05:32.870 --> 05:36.470]  And essentially, this is a way for the financial institution,
[05:36.470 --> 05:37.510]  for example, to say,
[05:37.510 --> 05:41.090]  hey, we do see an anomaly based on the profile,
[05:41.090 --> 05:43.950]  based on the baseline that was created.
[05:43.950 --> 05:47.710]  Another use of behavioral biometrics is to look for threats.
[05:47.710 --> 05:49.970]  For example, remote access.
[05:50.230 --> 05:51.770]  This is a mobile device.
[05:51.770 --> 05:54.210]  User is interacting on a mobile device.
[05:54.210 --> 05:56.270]  You can see the swipe motions.
[05:56.270 --> 05:58.390]  These are not gonna be straight lines.
[05:58.390 --> 06:01.810]  Even if you think that you move in a straight line
[06:01.810 --> 06:04.690]  on your mobile device, you actually have a small arc.
[06:05.150 --> 06:06.610]  Then you see the tabs.
[06:06.610 --> 06:09.110]  Now the tabs are surrounded,
[06:09.110 --> 06:11.550]  the dot is surrounded by a blue circle.
[06:11.550 --> 06:15.030]  That's your finger pressing on the actual touch screen.
[06:15.030 --> 06:17.510]  That's a normal situation for this account.
[06:17.590 --> 06:21.050]  And now this account was compromised with a help desk scam.
[06:21.050 --> 06:22.070]  Hey, we're the help desk,
[06:22.070 --> 06:23.950]  there's something wrong with your account,
[06:23.950 --> 06:27.350]  your bank account, your mobile device, something like that.
[06:27.350 --> 06:29.270]  We're here to help you.
[06:29.270 --> 06:30.790]  You just have to install something
[06:31.390 --> 06:34.030]  allowing us remote assistance.
[06:34.050 --> 06:35.950]  People fall for that and then install
[06:35.950 --> 06:39.350]  some sort of remote assistant tools,
[06:40.250 --> 06:43.330]  or maybe like a rogue application.
[06:43.330 --> 06:46.650]  And then the attacker has remote access on their device.
[06:46.650 --> 06:48.550]  This does not look the same.
[06:48.830 --> 06:52.230]  Typically the attacker is gonna control that device
[06:52.230 --> 06:54.690]  using a mouse and keyboard.
[06:54.690 --> 06:57.930]  And essentially you're gonna see these long lines,
[06:57.930 --> 06:59.230]  that's mouse motion,
[06:59.230 --> 07:01.790]  not someone actually physically scrolling
[07:01.790 --> 07:03.710]  up and down on the device.
[07:03.710 --> 07:04.710]  And all of the dots,
[07:04.710 --> 07:06.310]  you don't see the blue circle around them
[07:06.310 --> 07:08.910]  because no one's actually touching the screen.
[07:08.910 --> 07:10.450]  You know, mouse clicks.
[07:10.670 --> 07:12.810]  Beyond that, because of the remote access,
[07:12.810 --> 07:14.490]  there's gonna be some latency.
[07:14.630 --> 07:16.750]  The latency creates some disruptions
[07:16.750 --> 07:18.530]  to hand eye coordination.
[07:18.570 --> 07:19.650]  And if you have the right system,
[07:19.650 --> 07:21.150]  you can actually spot that and say,
[07:21.150 --> 07:23.890]  okay, we now know that this mobile device
[07:23.890 --> 07:26.350]  is being remotely controlled, right?
[07:26.850 --> 07:29.710]  Now, if we talk about account opening though,
[07:29.710 --> 07:31.350]  what's the use of behavioral barometrics?
[07:31.350 --> 07:33.390]  You cannot really profile anyone.
[07:33.750 --> 07:37.490]  They're just establishing the account, right?
[07:38.150 --> 07:41.630]  But if you actually look at the way criminals behave,
[07:42.190 --> 07:46.690]  you can now analyze second by second what they're doing.
[07:46.690 --> 07:50.450]  We're gonna start with a very interesting case
[07:50.450 --> 07:54.850]  from one of the top five credit card issuers in the US.
[07:55.210 --> 07:57.610]  They basically give you a credit card online
[07:57.610 --> 07:58.790]  within 30 seconds.
[07:58.790 --> 08:01.270]  You go to the website, you select a credit card,
[08:01.270 --> 08:02.950]  you click apply now,
[08:02.950 --> 08:06.050]  and then you start filling this online form,
[08:06.050 --> 08:09.770]  providing your name, email address, date of birth,
[08:09.770 --> 08:13.530]  mobile phone number, address, social security number,
[08:13.530 --> 08:15.050]  and other data points.
[08:15.930 --> 08:19.650]  Essentially, that's what regular users will go through,
[08:19.650 --> 08:21.430]  but also what criminals will go through.
[08:21.430 --> 08:25.630]  So let's actually look at a specific application.
[08:26.170 --> 08:28.230]  The session timeline here,
[08:28.230 --> 08:30.470]  every vertical bar is an interaction,
[08:30.470 --> 08:34.390]  like the user typed something or interacted with the form.
[08:34.390 --> 08:37.930]  It took one minute and 34 seconds to complete that.
[08:38.210 --> 08:40.030]  And the interesting thing is that the first name
[08:40.030 --> 08:43.690]  was pasted three seconds into the session.
[08:44.490 --> 08:47.110]  That's actually pretty incriminating.
[08:47.410 --> 08:50.350]  You know, why are you pasting your first name?
[08:50.350 --> 08:52.410]  You're supposed to be familiar with it.
[08:52.410 --> 08:55.010]  And the other thing is, how come it's so fast?
[08:55.010 --> 08:59.150]  There's actually a video that will show us how fast it was.
[08:59.310 --> 09:01.690]  So three seconds into the session,
[09:01.690 --> 09:03.530]  already we see control V.
[09:03.530 --> 09:05.590]  It's not autofill, by the way.
[09:05.950 --> 09:11.310]  Someone actually was ready before the application started,
[09:11.310 --> 09:15.030]  form started, went to the application flow,
[09:15.030 --> 09:17.750]  and then used control V to paste something.
[09:17.750 --> 09:19.870]  That's criminal behavior.
[09:20.330 --> 09:24.270]  Another thing that was pasted was the social security number,
[09:24.270 --> 09:26.290]  the date of birth was also pasted.
[09:26.290 --> 09:28.950]  You know, all of these suggest that whoever is doing this
[09:28.950 --> 09:33.510]  are not really familiar with the personal information,
[09:33.510 --> 09:35.590]  but they're also quite familiar with the process, right?
[09:35.590 --> 09:38.350]  Three seconds and they're beginning to interact.
[09:39.730 --> 09:42.010]  If we look at deposit fraud,
[09:42.010 --> 09:44.010]  that's another interesting trend.
[09:44.010 --> 09:46.230]  So we talked about credit card account opening.
[09:46.230 --> 09:48.210]  Of course, a criminal will be interested in that
[09:48.210 --> 09:50.090]  to just get a credit card or a loan
[09:50.090 --> 09:52.570]  or some sort of instant credit.
[09:52.770 --> 09:58.070]  But also deposit fraud is another lucrative type of business
[09:58.070 --> 10:01.270]  because what you do there is you open a new account
[10:01.710 --> 10:04.010]  and then you move money from a compromised account
[10:04.010 --> 10:05.390]  that you have.
[10:05.630 --> 10:07.610]  So let's say that you have money,
[10:07.610 --> 10:10.670]  an account that you've compromised in bank A,
[10:10.670 --> 10:12.870]  you open an account in bank B and say,
[10:12.870 --> 10:15.570]  hey, I'm the user, I wanna open an account,
[10:15.570 --> 10:17.830]  I wanna deposit something from bank A.
[10:18.370 --> 10:23.050]  Typically bank B will send some small transaction to bank A
[10:23.050 --> 10:27.810]  to prove that once you provide that specific amount
[10:27.810 --> 10:30.410]  to prove that you own that account, you access that account
[10:30.730 --> 10:32.650]  and you can provide that information.
[10:32.690 --> 10:36.490]  Of course, they're gonna do all of the regular KYC checks.
[10:36.590 --> 10:38.530]  But of course, if you own that account,
[10:38.530 --> 10:42.330]  if you actually not own, but control that account,
[10:42.930 --> 10:45.990]  you can provide all of that KYC information
[10:45.990 --> 10:49.630]  because you have access to the identity information
[10:49.630 --> 10:52.870]  and you also control the account in bank A,
[10:52.870 --> 10:55.030]  you can just open an account in bank B
[10:55.030 --> 10:58.590]  and move all of the money from account A to account B.
[10:58.590 --> 11:03.630]  Thing is that bank B is now responsible for the fraud laws.
[11:03.630 --> 11:05.050]  That's called deposit fraud.
[11:05.050 --> 11:07.470]  And let's actually see someone opening an account.
[11:07.810 --> 11:10.370]  They're pasting a lot of information.
[11:10.370 --> 11:14.790]  In this case, they're pasting the routing code,
[11:14.790 --> 11:17.890]  the account number, user ID, password,
[11:18.210 --> 11:25.050]  when they do the actual payment.
[11:25.620 --> 11:28.870]  And then the interesting thing here is,
[11:28.870 --> 11:31.530]  all of this is happening quite fast.
[11:31.530 --> 11:34.510]  And what you can see is they completed the funding.
[11:34.510 --> 11:36.910]  Now they completed opening the account.
[11:37.550 --> 11:43.150]  And look at the analysis showing genuine users
[11:43.150 --> 11:44.590]  versus criminals.
[11:44.590 --> 11:47.090]  About 2% of on an account opening sessions
[11:47.090 --> 11:50.890]  will have this behavior where we see a paste
[11:50.890 --> 11:52.350]  from a different application.
[11:52.350 --> 11:54.910]  So essentially an alt tab to a different tab
[11:55.290 --> 11:58.130]  and then paste the information from that tab.
[11:58.210 --> 12:00.270]  That's 2% of the users.
[12:00.270 --> 12:01.990]  For criminals, it's 25%.
[12:02.670 --> 12:05.250]  This is pretty significant.
[12:05.250 --> 12:07.370]  So it's quite informative seeing that.
[12:07.370 --> 12:09.390]  At the same time, we also understand
[12:09.390 --> 12:12.150]  that you cannot really incriminate 2% of the population
[12:12.710 --> 12:15.670]  or we need more information because 25%
[12:16.370 --> 12:19.290]  is not gonna be a good detection rate
[12:19.290 --> 12:22.050]  if you wanna detect those sort of fraud cases.
[12:22.050 --> 12:25.210]  So in any case, that's like one type of analysis.
[12:25.630 --> 12:27.830]  Obviously, you need much more than that.
[12:27.830 --> 12:31.170]  But deposit fraud is another type of account opening fraud
[12:31.170 --> 12:33.570]  that is skyrocketing these days.
[12:33.990 --> 12:36.430]  So we talked about pasting information.
[12:36.430 --> 12:40.430]  We talked about typing information.
[12:40.430 --> 12:41.930]  Now let's look at the difference
[12:41.930 --> 12:44.290]  between good users and bad users.
[12:44.810 --> 12:46.990]  Criminals are gonna type off a list.
[12:46.990 --> 12:51.270]  So if they choose not to populate the field automatically
[12:51.270 --> 12:54.470]  with some sort of bot or to use a pasting,
[12:54.470 --> 12:58.210]  which you've seen that it's only 25% of the cases,
[12:58.210 --> 12:59.870]  they will typically type off a list.
[12:59.870 --> 13:01.570]  They have a list of victims.
[13:02.250 --> 13:04.210]  Thing is that short memory is limited
[13:04.210 --> 13:07.070]  to just seven characters or items.
[13:07.710 --> 13:09.950]  So think about someone typing a social security number
[13:09.950 --> 13:11.410]  that does not belong to them.
[13:11.410 --> 13:14.030]  It will be very mechanical, right?
[13:14.230 --> 13:19.250]  So we see someone typing the social security number.
[13:19.250 --> 13:24.670]  It takes them quite like nine seconds to complete the SSN.
[13:24.670 --> 13:27.870]  Typically it's gonna be something like four seconds
[13:27.870 --> 13:29.190]  for an SSN.
[13:30.370 --> 13:33.530]  Date of birth, it's like two digits.
[13:33.650 --> 13:34.790]  I'm looking at the list.
[13:34.790 --> 13:36.790]  I'm going back, okay, another two digits.
[13:37.130 --> 13:38.150]  Okay, I know the year.
[13:38.150 --> 13:39.730]  It's gonna be 19 something.
[13:39.730 --> 13:41.010]  Okay, what's the number?
[13:41.010 --> 13:43.330]  Again, going to the list, going back.
[13:43.330 --> 13:45.290]  This is a very mechanical process.
[13:45.290 --> 13:46.170]  Typing off a list is something
[13:46.170 --> 13:50.090]  that you can also understand criminals do.
[13:50.430 --> 13:52.530]  They wanna be efficient, they have a list,
[13:52.530 --> 13:54.770]  but essentially that's the way for them
[13:54.770 --> 13:59.270]  to show the fact that they are not familiar
[13:59.270 --> 14:00.210]  with that information.
[14:00.210 --> 14:01.930]  It's not top of their mind.
[14:03.390 --> 14:05.490]  As opposed to something that we're gonna see right now,
[14:05.490 --> 14:08.870]  sometimes the newer customer checks actually conflict
[14:08.870 --> 14:10.790]  with the next generation analysis.
[14:10.790 --> 14:13.890]  There was a specific case with one of the big card companies
[14:14.450 --> 14:15.970]  that essentially said,
[14:15.970 --> 14:17.550]  hey, we're gonna decline an application
[14:17.550 --> 14:19.810]  because it's definitely fraud.
[14:19.810 --> 14:23.330]  You know, 96% chance of something being fraud.
[14:23.610 --> 14:26.510]  But when we looked at the data, it was interesting.
[14:26.530 --> 14:28.510]  The session timeline, again,
[14:28.510 --> 14:31.050]  is all of the activities that the user is doing.
[14:31.210 --> 14:33.890]  And what you can see is that the social security number
[14:33.890 --> 14:35.830]  is typed continuously.
[14:36.210 --> 14:37.170]  And by the way, Behavioral Biometric
[14:37.170 --> 14:39.150]  is not interested in the data itself.
[14:39.150 --> 14:41.330]  You're gonna see it's all, you know, 111s.
[14:41.330 --> 14:43.890]  When we actually look at it again,
[14:43.890 --> 14:45.990]  the typing is quite confident.
[14:46.310 --> 14:48.590]  You know, you don't see the same thing
[14:48.590 --> 14:50.030]  like typing off of this.
[14:50.030 --> 14:51.810]  Certainly you don't see any pasting.
[14:51.810 --> 14:53.170]  It's not autofill.
[14:53.390 --> 14:55.910]  Whoever is typing this information is quite familiar
[14:55.910 --> 14:57.250]  with the social security number,
[14:57.250 --> 15:00.350]  suggesting it's their own social security number.
[15:00.350 --> 15:02.830]  Long-term memory is a very strong inheritance field.
[15:03.090 --> 15:06.230]  The other interesting thing here, look at the timeline.
[15:06.290 --> 15:08.870]  There's a 58 second pause.
[15:08.870 --> 15:09.590]  Why?
[15:09.590 --> 15:14.310]  Because in this specific case, it's a hotel credit card.
[15:14.370 --> 15:16.250]  So in order to open the account,
[15:16.250 --> 15:18.710]  you need to provide your hotel loyalty number.
[15:18.710 --> 15:21.150]  You probably have some hotel loyalty numbers,
[15:21.150 --> 15:22.890]  but no one remembers them.
[15:22.890 --> 15:25.170]  And it takes you a minute or two to fetch them,
[15:25.170 --> 15:27.610]  maybe from your inbox or something like that.
[15:27.610 --> 15:28.890]  Maybe it's in your wallet.
[15:29.750 --> 15:32.310]  So about one minute is the norm.
[15:32.590 --> 15:35.250]  And we do see that this user also, you know,
[15:35.250 --> 15:38.110]  paused for about one minute to fetch that number
[15:38.110 --> 15:40.090]  and then continued with the application.
[15:40.290 --> 15:43.770]  This is a very, very positive sign, right?
[15:43.770 --> 15:46.410]  This person behaves like everyone else.
[15:46.410 --> 15:49.210]  Criminals are not going to bother with waiting for one minute
[15:49.210 --> 15:51.090]  because they need this information.
[15:51.090 --> 15:53.370]  They have this information. It's all ready for them.
[15:53.370 --> 15:55.550]  It's going to be right along, you know, the name,
[15:55.550 --> 15:57.290]  date of birth and social security number
[15:57.970 --> 16:00.350]  because they need it to open the account.
[16:00.730 --> 16:03.310]  Whereas, you know, real users,
[16:03.310 --> 16:04.830]  there's going to be some type of information
[16:04.830 --> 16:06.650]  that you're going to be very familiar with.
[16:06.650 --> 16:09.170]  It's etched in your long-term memory.
[16:09.450 --> 16:11.610]  But other types of information you have to research,
[16:11.610 --> 16:12.990]  you have to fetch.
[16:14.030 --> 16:15.730]  And that's essentially analyzing
[16:15.730 --> 16:19.350]  the way a genuine user will behave.
[16:19.490 --> 16:20.510]  So what do we have here?
[16:20.510 --> 16:22.090]  We have here a kind of a conflict
[16:22.090 --> 16:24.890]  because the analysis suggests,
[16:24.890 --> 16:26.110]  the next-generation analysis suggests
[16:26.110 --> 16:28.110]  that it's a good user, right?
[16:28.110 --> 16:29.530]  Familiar with the social security number,
[16:29.530 --> 16:30.970]  behaves like everyone else.
[16:31.010 --> 16:34.030]  But the card company said, hey, that's bad.
[16:34.370 --> 16:36.050]  We were actually curious about that.
[16:36.050 --> 16:37.250]  We asked the credit card company,
[16:37.250 --> 16:38.870]  hey guys, what do you, you know,
[16:38.870 --> 16:42.250]  why you think this is going to be a fraudulent application?
[16:42.470 --> 16:44.610]  They said, well, we like you very much guys,
[16:44.610 --> 16:48.070]  but it has to be fraud because the guy is dead.
[16:48.190 --> 16:49.990]  He's been dead for 10 years.
[16:49.990 --> 16:51.930]  You know, we checked the social security number.
[16:51.930 --> 16:53.670]  It belongs to a dead person.
[16:54.610 --> 16:56.070]  Well, that was bad.
[16:56.210 --> 16:58.730]  I mean, we were so sure that this is,
[16:59.150 --> 17:01.610]  you know, an actual genuine person.
[17:02.070 --> 17:04.410]  And, you know, we asked the issuer,
[17:04.410 --> 17:06.670]  can you actually call the user, you know,
[17:06.670 --> 17:08.790]  to try and find out what went on here?
[17:08.790 --> 17:11.210]  Because, you know, it looks so real,
[17:11.210 --> 17:13.370]  like it's a real genuine person.
[17:13.370 --> 17:14.830]  They said, they're dead.
[17:14.830 --> 17:15.910]  We're not going to call them.
[17:15.910 --> 17:18.530]  We had a bit of an argument and eventually they caved in
[17:18.530 --> 17:20.150]  and said, okay, we're going to call them.
[17:20.150 --> 17:21.310]  Let's see what happens.
[17:22.450 --> 17:26.190]  So the fraud operations team now calls the user.
[17:26.230 --> 17:27.390]  It was a miracle.
[17:27.390 --> 17:28.210]  He picked up the phone.
[17:28.210 --> 17:29.250]  He was not dead.
[17:30.390 --> 17:34.510]  Ended up that he had a typo in the social security number.
[17:34.510 --> 17:35.690]  He just had a mistake.
[17:35.690 --> 17:36.810]  Let's see it again.
[17:37.030 --> 17:38.990]  You know, typed very confidently,
[17:38.990 --> 17:41.550]  but with a typo that the user did not realize.
[17:42.090 --> 17:44.590]  This actually matched to a totally different person.
[17:44.590 --> 17:45.410]  The name was wrong.
[17:45.410 --> 17:48.870]  The social security was belonging to someone that died.
[17:49.730 --> 17:52.350]  So sometimes the data is going to suggest
[17:52.350 --> 17:54.770]  that this is a bad application,
[17:54.770 --> 17:56.830]  but some of the next generation analysis
[17:56.830 --> 17:58.490]  don't really care about the data.
[17:58.490 --> 18:01.230]  It cares about the way you behave.
[18:01.230 --> 18:03.350]  It cares about, you know, your device,
[18:03.350 --> 18:05.690]  your, you know, other elements.
[18:05.790 --> 18:08.530]  And therefore sometimes it's more trustworthy
[18:08.530 --> 18:11.610]  than actually, you know, looking at the data itself.
[18:12.290 --> 18:14.330]  Let's move to synthetic identity.
[18:14.330 --> 18:16.870]  Synthetic identity is a very interesting new problem
[18:16.870 --> 18:19.250]  in the U.S., relatively new.
[18:19.450 --> 18:21.850]  It hasn't been around for over a decade,
[18:21.850 --> 18:24.930]  but it's becoming more and more of a problem.
[18:25.530 --> 18:26.950]  This is from ID Analytics.
[18:26.950 --> 18:29.550]  And what you can see is, you know,
[18:29.550 --> 18:31.570]  social security belonging to, you know,
[18:31.570 --> 18:35.170]  one identity, a name is invented,
[18:35.170 --> 18:37.650]  or, you know, belonging to a different identity,
[18:37.650 --> 18:39.350]  date of birth, et cetera, et cetera.
[18:39.350 --> 18:44.130]  It's like combining a kind of, you know,
[18:44.130 --> 18:47.590]  sort of a digital identity
[18:47.590 --> 18:50.230]  that does not really belong to any specific person
[18:50.230 --> 18:53.230]  because it's a mashup of various identities.
[18:54.190 --> 18:57.350]  Now, then what do they do with this identity?
[18:57.350 --> 18:59.890]  Because that identity obviously cannot open a credit card,
[18:59.890 --> 19:02.790]  right? They don't have any kind of credit history.
[19:02.790 --> 19:04.750]  No one's gonna give them a loan.
[19:04.890 --> 19:06.810]  So the idea is to create a synthetic identity
[19:06.810 --> 19:11.910]  and then through some collusion with rogue lenders,
[19:11.910 --> 19:16.130]  begin to apply for loans and then build credit history
[19:16.130 --> 19:17.870]  by returning the loan.
[19:17.870 --> 19:20.750]  So it's reported as a positive thing.
[19:20.750 --> 19:24.130]  Another trick is to attach this identity
[19:24.560 --> 19:27.090]  to someone who has a perfect FICO score,
[19:27.090 --> 19:28.530]  like a credit card account holder
[19:28.530 --> 19:31.690]  as a secondary user in that account.
[19:31.690 --> 19:32.990]  That's another thing that you can do
[19:32.990 --> 19:37.650]  to essentially get the tenure of a good user.
[19:38.170 --> 19:41.010]  So whether you focus on building a credit history
[19:41.010 --> 19:44.490]  or just, you know, a very good tenure,
[19:44.490 --> 19:46.310]  the idea is to create this identity
[19:46.310 --> 19:50.030]  and then, you know, create a credit history
[19:50.030 --> 19:52.390]  and, you know, good credit for that person
[19:52.390 --> 19:54.190]  who does not exist, of course.
[19:54.190 --> 19:55.430]  And then launching your attack.
[19:55.430 --> 19:59.610]  You know, you just go to a credit card company,
[19:59.610 --> 20:01.490]  open a credit card account,
[20:01.490 --> 20:05.290]  you maybe apply for a loan, a mortgage even, et cetera.
[20:06.230 --> 20:07.830]  One in four synthetic identities
[20:07.830 --> 20:10.930]  are actually using child's social security numbers.
[20:10.930 --> 20:14.210]  And the, you know, trafficking in child social security number
[20:14.210 --> 20:16.590]  in the dark web has increased dramatically.
[20:17.000 --> 20:20.510]  A lot of these are coming from healthcare breaches.
[20:21.230 --> 20:22.910]  So that's a very interesting trend.
[20:22.910 --> 20:25.330]  And of course, not something that we want to see,
[20:25.330 --> 20:26.850]  you know, in the industry.
[20:27.030 --> 20:28.950]  The reaction of the industry
[20:29.340 --> 20:32.150]  was to start suspecting lots of people.
[20:32.590 --> 20:36.390]  So let's actually see one example.
[20:36.390 --> 20:40.970]  We see someone who is 31 years old,
[20:40.970 --> 20:44.890]  no driver's license, very thin credit history,
[20:44.890 --> 20:47.350]  and the social security was issued recently,
[20:47.350 --> 20:50.390]  just a few years ago, obviously highly suspicious.
[20:50.390 --> 20:51.950]  They were asked to provide, you know,
[20:51.950 --> 20:54.050]  government records, tax records,
[20:54.050 --> 20:56.050]  and then they never submitted the records.
[20:56.050 --> 20:57.490]  So the transaction was canceled.
[20:57.490 --> 20:59.010]  The application was canceled.
[20:59.150 --> 21:00.790]  Let's see the way they apply.
[21:00.790 --> 21:02.510]  This is from an iPhone.
[21:02.510 --> 21:05.010]  So they're applying via an iPhone.
[21:05.010 --> 21:08.230]  They're providing right now their email.
[21:09.070 --> 21:12.770]  They're providing date of birth.
[21:12.770 --> 21:14.970]  They had a typo in the date of birth,
[21:14.970 --> 21:16.490]  so they corrected it and just continued,
[21:16.490 --> 21:18.670]  but it's all natural and very confident.
[21:18.670 --> 21:20.070]  This is the phone number.
[21:21.210 --> 21:23.310]  Little pause before annual income,
[21:23.310 --> 21:24.150]  they kind of thought about it,
[21:24.150 --> 21:26.410]  and then they provided the annual income,
[21:26.410 --> 21:29.090]  and then went to type the social security.
[21:29.090 --> 21:32.410]  And again, you can see it's all very natural, no pauses.
[21:32.410 --> 21:34.590]  This is not someone typing off a list,
[21:34.590 --> 21:36.210]  not someone pasting information.
[21:36.210 --> 21:39.770]  They're familiar with all of the personal data fields.
[21:39.910 --> 21:41.630]  Another interesting thing is,
[21:41.630 --> 21:46.110]  they also looked at the rates and fees for 90 seconds
[21:46.110 --> 21:48.670]  before even starting the application.
[21:48.770 --> 21:51.710]  Now, if you kind of look at all of these together,
[21:51.710 --> 21:54.150]  this is not gonna be a synthetic identity.
[21:54.190 --> 21:58.450]  This may be a suspect, but it looks like a genuine person.
[21:58.450 --> 22:00.850]  And when the credit issuer, you know,
[22:00.850 --> 22:05.670]  that had this level of analysis investigated further,
[22:05.670 --> 22:08.730]  what they found was, it's an immigrant.
[22:08.730 --> 22:10.470]  It kind of explains everything, you know,
[22:10.470 --> 22:13.090]  the SSN and the thin file.
[22:13.850 --> 22:16.070]  This is someone who works for a big tech firm
[22:16.070 --> 22:18.930]  in San Francisco area.
[22:18.990 --> 22:20.570]  They're actually a great candidate,
[22:20.750 --> 22:22.190]  a great acquisition target.
[22:22.570 --> 22:26.290]  So, you know, blaming them and pointing the finger
[22:26.290 --> 22:28.490]  and saying, hey, you probably some sort of
[22:29.010 --> 22:31.370]  synthetic identity, you have to prove yourself.
[22:31.710 --> 22:34.530]  That was something that almost killed
[22:34.530 --> 22:35.730]  that specific application.
[22:35.730 --> 22:38.690]  Of course, that's not what banks
[22:38.690 --> 22:40.090]  and issuers would like to do.
[22:41.670 --> 22:42.950]  Let's see the opposite.
[22:43.050 --> 22:46.010]  Now let's see someone who is too familiar with the process.
[22:46.610 --> 22:49.050]  You know, before we saw someone that was not familiar,
[22:49.050 --> 22:50.590]  wanting to see the terms and conditions
[22:50.590 --> 22:51.570]  and stuff like that.
[22:51.570 --> 22:53.950]  But this is someone who is too familiar.
[22:54.470 --> 22:55.550]  Income source, right?
[22:55.550 --> 22:57.190]  When you click on the income source,
[22:57.190 --> 23:00.530]  when you open an account, there's this window that says,
[23:00.530 --> 23:02.910]  okay, employed, retired, self-employed, unemployed,
[23:02.910 --> 23:03.630]  military, et cetera.
[23:03.630 --> 23:05.930]  It takes you maybe like four seconds, five seconds
[23:05.930 --> 23:08.230]  to read through and say, okay, well, I'm employed.
[23:08.230 --> 23:09.830]  So let's click employed.
[23:10.650 --> 23:14.130]  And then if we look at specific cyber grant,
[23:14.130 --> 23:17.170]  again, that was attacking one of the banks,
[23:17.170 --> 23:18.670]  it was less than a second.
[23:18.670 --> 23:21.790]  I mean, they knew what's going to happen.
[23:21.790 --> 23:23.530]  They have been there before.
[23:23.530 --> 23:25.670]  They are opening, you know, lots of accounts.
[23:25.750 --> 23:28.710]  So they're not stuck on this screen.
[23:28.710 --> 23:29.730]  They know what to select.
[23:29.730 --> 23:32.330]  It takes them less than a second to select something
[23:32.330 --> 23:33.710]  and then proceed.
[23:33.710 --> 23:36.830]  This is someone too familiar with the process.
[23:36.970 --> 23:38.570]  So if you think about all of the criminals,
[23:38.570 --> 23:39.930]  I mean, they have the data.
[23:40.350 --> 23:43.070]  They're attacking the same target, you know,
[23:43.070 --> 23:46.430]  again and again, because they know the specific controls
[23:46.430 --> 23:48.150]  in that specific target.
[23:48.210 --> 23:51.150]  They know they're not going to be caught.
[23:51.270 --> 23:53.330]  So therefore, they're going to be very familiar
[23:53.330 --> 23:54.370]  with the process.
[23:54.370 --> 23:56.390]  They're not going to be familiar with the data.
[23:56.390 --> 23:59.750]  And that's essentially what we see here.
[23:59.890 --> 24:04.230]  Another interesting trend is looking at the age
[24:04.230 --> 24:07.630]  of the user reflected in their behavior.
[24:07.630 --> 24:10.710]  And this is another fascinating example.
[24:10.710 --> 24:13.930]  This specific user applying for a credit card
[24:13.930 --> 24:16.450]  was born in 1918.
[24:16.450 --> 24:18.590]  You kind of remember the year, right?
[24:18.590 --> 24:22.570]  Because World War I ended and also the Spanish flu.
[24:22.570 --> 24:24.610]  That was also 1918.
[24:24.710 --> 24:27.450]  Let's see someone who is over 100 years old
[24:27.450 --> 24:28.950]  applying for a credit card.
[24:28.950 --> 24:31.610]  So extremely rapid mouse motion,
[24:32.330 --> 24:35.670]  extensive use of tab and mouse wheel.
[24:35.670 --> 24:40.090]  This is not typical for someone who is over 100 years old.
[24:40.090 --> 24:43.490]  And of course, it's all around statistics and probabilities,
[24:43.490 --> 24:46.650]  but it's highly unlikely that this person
[24:46.650 --> 24:53.350]  is such an elderly citizen.
[24:53.760 --> 24:56.990]  The bottom line is that when you look at criminals
[24:57.550 --> 24:59.970]  and a lot of the behavior that they will display
[25:00.520 --> 25:03.750]  is not going to be in line with genuine users,
[25:04.270 --> 25:07.750]  claimed age of the user or the known age of the user,
[25:07.750 --> 25:09.210]  et cetera.
[25:10.650 --> 25:17.750]  Another interesting thing is the fact that sometimes,
[25:17.750 --> 25:20.390]  even without seeing any of the data,
[25:20.390 --> 25:24.310]  you do know that something is wrong.
[25:25.210 --> 25:29.530]  And this is called the curious case of the straw company.
[25:30.140 --> 25:30.910]  Let me explain.
[25:30.910 --> 25:31.990]  This is a straw company.
[25:34.090 --> 25:36.610]  The name of the company, we kind of changed.
[25:36.610 --> 25:37.830]  It's not the last straw,
[25:37.830 --> 25:41.450]  but it's a company based in San Diego.
[25:41.450 --> 25:45.190]  It provides quality paper straws.
[25:45.190 --> 25:47.710]  As you know, in California, it's the law.
[25:47.710 --> 25:52.170]  You have to provide your customers with paper straws.
[25:52.170 --> 25:55.030]  So people can buy those packs.
[25:55.030 --> 25:58.570]  If you're a restaurant, you buy a crate full of straws.
[25:58.810 --> 26:03.010]  There was a sizable order of 62 crates.
[26:04.770 --> 26:09.550]  740,000 straws costing $15,000
[26:10.560 --> 26:14.550]  plus $10,000 for urgent shipping to Tuvalu.
[26:14.550 --> 26:16.290]  What's Tuvalu?
[26:16.290 --> 26:17.730]  Welcome to Tuvalu.
[26:17.730 --> 26:21.050]  It's an island in the Pacific Ocean, 11,000 people.
[26:21.050 --> 26:23.110]  They don't need that many straws.
[26:23.110 --> 26:25.150]  So this is all curious.
[26:25.450 --> 26:29.610]  However, in this specific case,
[26:29.610 --> 26:32.970]  even without knowing any of this data,
[26:32.970 --> 26:36.210]  not the fact that it's a straw company selling straws,
[26:36.210 --> 26:38.130]  not the fact that it's a very big order,
[26:38.130 --> 26:40.570]  the number of straws, the payment for the straws,
[26:40.570 --> 26:43.710]  the $10,000 for the urgent shipping,
[26:43.710 --> 26:46.970]  the location in the middle of the Pacific Ocean,
[26:46.970 --> 26:49.650]  without seeing any of this data,
[26:49.650 --> 26:51.370]  you could know that this is fraud
[26:51.370 --> 26:55.850]  simply based on the way the information was provided.
[26:55.970 --> 26:57.770]  And again, let's see a quick video.
[26:57.770 --> 27:02.470]  This is someone pasting the credit card number
[27:03.470 --> 27:06.270]  and the CV2,
[27:06.950 --> 27:08.670]  typing the expiration
[27:09.970 --> 27:12.170]  and pasting the postal code.
[27:12.170 --> 27:14.210]  Think about your postal code.
[27:14.210 --> 27:16.550]  Did you ever paste your postal code?
[27:16.550 --> 27:18.770]  It's easier to type your postal code,
[27:18.770 --> 27:20.430]  you know, your zip code,
[27:20.430 --> 27:22.490]  than to type it, you know,
[27:22.490 --> 27:24.810]  easier to type it than to paste it.
[27:24.810 --> 27:27.530]  You know, people don't paste the zip code.
[27:27.670 --> 27:29.810]  In fact, when you look at the statistics,
[27:29.810 --> 27:32.250]  it's about 99.9% of the users,
[27:32.250 --> 27:33.910]  they never paste the zip code.
[27:34.930 --> 27:36.730]  This is by the way, one small fact,
[27:36.730 --> 27:39.730]  but there are, you know, dozens of features,
[27:39.730 --> 27:42.870]  you know, around each of those fields.
[27:43.030 --> 27:46.050]  Another interesting thing about zip code
[27:46.050 --> 27:48.710]  is how fast you begin typing your zip code.
[27:48.950 --> 27:50.430]  Because you're familiar with it,
[27:50.430 --> 27:53.670]  you have some muscle memory that immediately starts,
[27:54.190 --> 27:55.290]  you know, going into action
[27:55.290 --> 27:58.310]  and almost like automatically typing your zip code
[27:58.310 --> 28:02.690]  if you go through some sort of online form.
[28:02.970 --> 28:05.710]  Bottom line is this person is not familiar
[28:05.710 --> 28:08.450]  with their own zip code.
[28:09.330 --> 28:11.850]  Now, this was a curious case
[28:11.850 --> 28:14.930]  because you can say, okay, fine,
[28:15.410 --> 28:17.230]  we shouldn't trust this transaction.
[28:17.230 --> 28:20.190]  You know, it looks very, very suspicious.
[28:20.630 --> 28:24.530]  But why would a fraudster go through all of the trouble
[28:25.070 --> 28:29.270]  of buying 62 crates, okay, all of these straws
[28:29.750 --> 28:32.110]  and ship them urgently to Tuvalu?
[28:32.110 --> 28:33.070]  What's the point?
[28:33.070 --> 28:34.330]  What are they trying to achieve?
[28:34.330 --> 28:35.970]  I mean, are they trying to, you know,
[28:35.970 --> 28:39.050]  take the goods and then sell them in Tuvalu?
[28:39.050 --> 28:40.910]  What for, you know?
[28:41.390 --> 28:44.910]  You might think of all sorts of creative ideas.
[28:44.910 --> 28:48.430]  I mean, maybe they need the straws to buy some,
[28:48.430 --> 28:50.850]  you know, to build some huts.
[28:51.470 --> 28:55.090]  Tuvalu is actually having water level issues.
[28:55.090 --> 29:01.310]  I mean, the surface water level is rising all the time.
[29:01.310 --> 29:03.850]  Maybe they need the straws for emergency or something.
[29:03.850 --> 29:06.030]  No, it wasn't something like that.
[29:06.030 --> 29:08.170]  And the interesting thing about this specific fraud
[29:08.170 --> 29:12.730]  was the amount for the shipping, $10,000.
[29:12.730 --> 29:16.990]  The entire thing was built to inflate the amount.
[29:16.990 --> 29:20.230]  It's an urgent shipping to the middle of the Pacific Ocean,
[29:20.230 --> 29:21.510]  62 crates.
[29:21.510 --> 29:23.810]  It will have to cost a fortune.
[29:24.090 --> 29:27.010]  So what actually happened here was the following.
[29:27.030 --> 29:29.870]  After making the payment, go through, right?
[29:29.870 --> 29:32.490]  So, you know, using a corporate credit card,
[29:32.490 --> 29:34.750]  one of the U.S. banks,
[29:36.570 --> 29:41.270]  the, you know, user called the merchant and said,
[29:41.270 --> 29:43.230]  hey, I have made a terrible mistake.
[29:43.230 --> 29:45.670]  I didn't realize it's so expensive.
[29:45.670 --> 29:47.770]  You know, $10,000, you know,
[29:47.770 --> 29:50.030]  your shipping company is crazy.
[29:50.030 --> 29:52.070]  They charge $10,000 for this.
[29:52.070 --> 29:54.370]  I have another shipping company that I prefer using
[29:54.370 --> 29:56.650]  and they only charge $2,000.
[29:56.650 --> 29:57.870]  Can you do me a favor?
[29:57.870 --> 29:59.870]  Because I already paid you $10,000.
[30:00.350 --> 30:03.910]  Can you move $10,000 to that shipping company?
[30:03.950 --> 30:05.410]  And then they'll use it for this shipping
[30:05.410 --> 30:08.470]  and then additional shipping that they'll have in the future.
[30:08.470 --> 30:10.230]  You know, like crediting me.
[30:10.670 --> 30:13.050]  And the merchant says, are you sure?
[30:13.050 --> 30:14.410]  I mean, there's lots of crates here.
[30:14.410 --> 30:15.890]  Yeah, they're fantastic.
[30:15.890 --> 30:16.810]  We work with them all the time.
[30:16.810 --> 30:17.510]  They're very cheap.
[30:17.510 --> 30:19.890]  You should, you know, use them for all of your shipping.
[30:21.270 --> 30:24.450]  And of course it wasn't a real, you know,
[30:24.450 --> 30:26.210]  shipping company, it was an account created
[30:26.210 --> 30:28.430]  or opened by the criminal.
[30:28.510 --> 30:31.750]  The bottom line is when you think about account opening,
[30:31.750 --> 30:33.250]  you know, even e-commerce fraud,
[30:33.250 --> 30:36.770]  any kind of case and scenario where you have a new user,
[30:36.770 --> 30:39.490]  you don't have any kind of profile on the user,
[30:39.490 --> 30:41.170]  prior behavior to look at,
[30:41.170 --> 30:44.110]  transaction monitoring to look at and things like that.
[30:44.730 --> 30:47.230]  You know that KYC is dead,
[30:47.230 --> 30:49.970]  but you do have more and more capabilities,
[30:49.970 --> 30:53.130]  device reputation, location analysis,
[30:53.130 --> 30:55.030]  this sort of analysis called behavior biometrics
[30:55.490 --> 30:59.870]  to tell you, hey, something is either very good about this
[30:59.870 --> 31:03.590]  or something is terribly wrong about this.
[31:04.370 --> 31:06.590]  Another interesting thing to notice
[31:06.590 --> 31:10.650]  that the AO fraud is really changing the ecosystem.
[31:10.910 --> 31:14.070]  This is from California.
[31:15.090 --> 31:16.730]  There was a new digital bank
[31:16.730 --> 31:18.170]  that was opened.
[31:18.630 --> 31:22.310]  And when you actually look at number of new users
[31:22.310 --> 31:23.970]  on a daily basis, you know,
[31:23.970 --> 31:28.130]  it's around 100 people on a daily basis.
[31:28.210 --> 31:32.870]  And all of a sudden, it jumped to about 700 people.
[31:33.270 --> 31:34.450]  So this is crazy.
[31:34.450 --> 31:35.270]  I mean, they said, hey,
[31:35.270 --> 31:37.710]  finally the marketing team is doing something.
[31:37.730 --> 31:39.930]  No, they're not.
[31:39.930 --> 31:41.110]  It's an attack.
[31:41.110 --> 31:43.350]  You have 100 good users
[31:43.760 --> 31:47.550]  and 600 bad users every day.
[31:48.310 --> 31:52.490]  And essentially the bank did have device reputation
[31:53.300 --> 31:55.150]  and email reputation,
[31:55.150 --> 31:57.250]  meaning what do we know about this email
[31:57.250 --> 31:58.690]  and how does it relate to the device
[31:58.690 --> 32:00.350]  and the phone and other elements.
[32:00.350 --> 32:04.350]  This was allowing them to stop about 50% of the attack,
[32:04.350 --> 32:06.430]  but there were still 300 people
[32:07.120 --> 32:09.830]  that were registering every day
[32:10.250 --> 32:13.590]  as opposed to something like 100 good users.
[32:13.670 --> 32:15.070]  This is not sustainable.
[32:15.070 --> 32:17.090]  The bank will have to either, you know,
[32:17.090 --> 32:20.070]  stop receiving new customers or allow them in,
[32:20.070 --> 32:22.610]  but then don't allow them to make, you know,
[32:22.610 --> 32:24.450]  any kind of money transfers or move money out
[32:24.450 --> 32:26.030]  until they sort out, you know,
[32:26.030 --> 32:28.230]  who's a good user and who's a bad user.
[32:28.230 --> 32:28.910]  And that's difficult
[32:28.910 --> 32:30.890]  because the criminals will know everything
[32:30.890 --> 32:32.290]  about the good users.
[32:33.790 --> 32:35.310]  Initially, when I looked at that,
[32:35.310 --> 32:36.810]  I thought that it may be like a bot
[32:36.810 --> 32:38.610]  that is opening all of these accounts.
[32:38.650 --> 32:39.610]  No, it wasn't.
[32:39.610 --> 32:40.850]  It was a human being.
[32:41.110 --> 32:43.790]  And in fact, it was a specific person
[32:43.790 --> 32:46.690]  that was opening all of these hundreds of accounts.
[32:46.910 --> 32:48.690]  They were doing it very mechanically.
[32:48.690 --> 32:51.190]  They were very familiar with the onboarding process.
[32:51.210 --> 32:54.390]  They were totally unfamiliar with the data, okay?
[32:54.390 --> 32:57.530]  Short the memory, typing mechanically, working off a list,
[32:57.530 --> 32:58.870]  not pasting any information.
[32:58.870 --> 33:01.550]  They were just typing all, you know, all day long.
[33:02.230 --> 33:04.850]  So that's essentially one of the risks
[33:04.850 --> 33:10.070]  that banks and fintech companies are facing these days.
[33:10.070 --> 33:12.370]  Whenever you launch a new digital product
[33:12.770 --> 33:15.810]  and you just open it to, you know,
[33:15.810 --> 33:18.190]  the entire world to register,
[33:18.190 --> 33:20.910]  if you don't have the right capabilities
[33:20.910 --> 33:24.050]  to detect those sort of attacks, you can go down.
[33:24.110 --> 33:27.490]  You can really suffer from a massive campaign like this.
[33:27.490 --> 33:31.550]  Not a bot campaign, not a DDoS attack, nothing like that.
[33:31.550 --> 33:34.650]  Just, you know, opening a lot of fake accounts
[33:34.650 --> 33:36.690]  that belong to real people.
[33:36.870 --> 33:39.470]  Not synthetic identities, it's just identity theft
[33:39.470 --> 33:41.750]  because the data is there.
[33:41.750 --> 33:44.850]  And then it's gonna be very, very problematic
[33:45.370 --> 33:47.170]  to handle the situation.
[33:47.170 --> 33:50.230]  So new digital banks, you know, good luck with that.
[33:50.230 --> 33:53.570]  Make sure that you have these sort of defenses in place.
[33:53.650 --> 33:56.510]  Another impact of account opening fraud on the economy
[33:57.070 --> 34:01.610]  is a new service in the US called Zelle.
[34:01.610 --> 34:03.430]  And I'm sure most of you know Zelle.
[34:03.430 --> 34:04.470]  It's a great service.
[34:04.470 --> 34:07.550]  It allows you to pay from your account.
[34:08.730 --> 34:10.350]  You know, I think that in the UK,
[34:10.350 --> 34:18.170]  you'll have similar types of money movement capabilities.
[34:18.190 --> 34:22.130]  You basically can send money to anyone in your contact list.
[34:22.130 --> 34:24.830]  You can send money to an email account,
[34:24.830 --> 34:25.850]  you know, things like that.
[34:26.170 --> 34:32.310]  This is in the US and because of the ease of account opening
[34:32.670 --> 34:35.970]  and the ease of compromising email accounts,
[34:36.290 --> 34:42.130]  the whole Zelle industry is essentially shaking
[34:42.130 --> 34:45.630]  because this is, you know, a single story,
[34:45.630 --> 34:49.550]  but it kind of reflects the underlying problem
[34:49.550 --> 34:52.010]  of the whole system.
[34:52.010 --> 34:52.830]  So in this case,
[34:52.830 --> 34:54.170]  this process randomly compromised
[34:54.170 --> 34:56.770]  the business owner's email account, right?
[34:56.770 --> 35:00.850]  So just a regular, you know, Gmail, Yahoo,
[35:00.850 --> 35:06.070]  whatever sort of account belonging to a person,
[35:07.150 --> 35:10.690]  they saw that this person was interacting
[35:11.350 --> 35:16.410]  with the renters of their property and saying,
[35:16.410 --> 35:19.730]  hey, if you want to move money, why don't you use Zelle?
[35:19.730 --> 35:23.610]  You can send me the rent money using Zelle.
[35:23.610 --> 35:27.730]  So what the criminal did was open a fake account, okay?
[35:27.730 --> 35:34.050]  Using the same information at a top five bank
[35:34.390 --> 35:37.570]  and then enrolling for Zelle at that bank
[35:37.570 --> 35:39.870]  using the compromised email.
[35:39.910 --> 35:44.210]  Now the thing is that once you use the email of the user,
[35:44.210 --> 35:48.670]  that new bank account is now attached to that email, right?
[35:48.670 --> 35:51.730]  The bank will obviously send something to the email
[35:51.730 --> 35:54.210]  like a one-time code that you have to repeat.
[35:54.210 --> 35:57.830]  So it basically proves that you control that email.
[35:57.970 --> 36:00.770]  But if that email is compromised, okay,
[36:00.770 --> 36:03.030]  this check doesn't mean anything.
[36:03.030 --> 36:05.630]  So essentially, you know, beating the KYC checks
[36:05.630 --> 36:14.030]  and then beating the email check of a new registration,
[36:14.790 --> 36:17.070]  attaching that new bank account to that email.
[36:17.690 --> 36:20.290]  And the bank said, okay, but this email address
[36:20.290 --> 36:22.990]  is already linked to another account at another bank.
[36:22.990 --> 36:25.110]  Do you want to change it to our bank?
[36:25.110 --> 36:26.490]  And the fraudster says, yeah.
[36:26.870 --> 36:30.710]  And the bank simply enrolled the fraudster in Zelle,
[36:30.710 --> 36:35.770]  you know, because now this email account, you know,
[36:35.770 --> 36:38.930]  basically is attached to this new account.
[36:41.750 --> 36:44.750]  And basically at that point, it's a game over
[36:44.750 --> 36:50.250]  because any money movement that will go to this email account
[36:50.250 --> 36:52.470]  will automatically go to the fraudster's new account
[36:52.470 --> 36:56.050]  at this top five bank.
[36:56.110 --> 36:57.530]  All right, so the renter sent the money
[36:57.530 --> 37:00.190]  to the Zelle email address as normal,
[37:00.190 --> 37:02.050]  but now going to a newly open account
[37:02.050 --> 37:03.030]  controlled by the criminal
[37:03.030 --> 37:05.990]  rather than the real user, game over.
[37:05.990 --> 37:10.710]  So essentially, the fact that account opening
[37:11.610 --> 37:14.810]  so far was not top priority for banks,
[37:14.810 --> 37:16.630]  credit card companies, et cetera,
[37:16.630 --> 37:19.470]  and it's changing the industry, right?
[37:19.470 --> 37:21.790]  You have all of these cases.
[37:21.870 --> 37:23.630]  It doesn't have to be fraud.
[37:23.630 --> 37:25.210]  It can also be money laundering.
[37:25.210 --> 37:26.450]  It can be mule accounts.
[37:26.450 --> 37:27.590]  Let's actually talk about mules
[37:27.590 --> 37:30.390]  because there is an implication
[37:30.390 --> 37:33.890]  of a high account opening fraud world.
[37:34.570 --> 37:38.250]  This is like a diagram, a very crude one,
[37:38.250 --> 37:44.230]  showing a typical fraud supply chain.
[37:44.430 --> 37:47.830]  Obviously, it's not a single person that can do everything.
[37:47.830 --> 37:50.030]  As a fraudster, you typically choose
[37:50.690 --> 37:53.150]  between am I gonna harvest information,
[37:53.150 --> 37:56.710]  break into accounts and break into databases
[37:56.710 --> 38:00.170]  or do phishing, frauds, et cetera, collect the information
[38:00.170 --> 38:04.450]  or am I gonna use that stolen information to cash out?
[38:04.450 --> 38:06.750]  Typically, people make that choice.
[38:07.350 --> 38:09.730]  The harvesting process would use tools
[38:09.730 --> 38:11.330]  and hosting and delivery mechanisms
[38:11.330 --> 38:14.390]  to infect more people or send them phishing emails
[38:14.390 --> 38:18.650]  and stuff like that, or just break into a database.
[38:18.710 --> 38:21.090]  The cash out process will be the ones
[38:21.090 --> 38:23.950]  that are tasked with emptying all of these accounts.
[38:23.950 --> 38:27.130]  They understand everything about the specific bank defenses,
[38:27.130 --> 38:28.630]  the credit card defenses.
[38:28.650 --> 38:30.130]  They know how to move money.
[38:30.130 --> 38:32.090]  They know what sort of controls are in place.
[38:32.090 --> 38:34.770]  And they also need to send the money,
[38:34.770 --> 38:36.210]  obviously not to themselves,
[38:36.210 --> 38:39.770]  but to some sort of collaboration account.
[38:40.070 --> 38:42.290]  And for many years, those were new accounts
[38:42.290 --> 38:45.430]  because it was very difficult to open an account,
[38:45.430 --> 38:48.630]  let's say locally, if you're a criminal outside of the UK
[38:48.630 --> 38:50.610]  to use an account in the UK.
[38:50.610 --> 38:52.850]  If you're outside of the US, use an account in the US.
[38:52.850 --> 38:55.990]  So you always recruited local collaborators,
[38:55.990 --> 38:59.470]  some of them knowingly, some of them unknowingly.
[39:00.050 --> 39:01.330]  I mean, in Australia, for example,
[39:01.330 --> 39:06.050]  there was a case where the criminals went to high schools
[39:06.050 --> 39:09.230]  and said, hey, you have like a teenager account.
[39:09.770 --> 39:13.250]  We are kind of a charity company,
[39:14.330 --> 39:18.090]  charity, big charity, and donors,
[39:18.090 --> 39:19.730]  people that have lots of money
[39:19.730 --> 39:23.410]  will send money to your account.
[39:23.590 --> 39:26.730]  You're gonna pass it to us, we're the charity in East Europe
[39:26.730 --> 39:28.870]  and you're gonna get a commission.
[39:28.870 --> 39:31.630]  So the teenagers didn't really realize
[39:31.630 --> 39:35.270]  they're actually collaborating with this sort of scheme.
[39:35.270 --> 39:37.730]  So sometimes the mules know that they're mules,
[39:37.730 --> 39:39.190]  sometimes they don't know that they're mules
[39:39.190 --> 39:40.410]  and they recruited.
[39:41.390 --> 39:46.770]  Mules have been a very important part of that ecosystem,
[39:46.770 --> 39:49.370]  but now you don't need them.
[39:49.370 --> 39:50.830]  You can be your own mule.
[39:50.830 --> 39:53.090]  You can just open an account online.
[39:53.090 --> 39:55.450]  It's so easy these days and just send money
[39:56.010 --> 39:57.350]  from your compromised account
[39:57.350 --> 40:00.070]  to your newly established account,
[40:00.070 --> 40:03.270]  saving the need to work with mules.
[40:03.390 --> 40:04.930]  It's saving you a lot of money,
[40:04.930 --> 40:07.810]  opening an account is free, you don't have to pay anyone.
[40:07.870 --> 40:09.650]  And once the money is in your new account,
[40:09.650 --> 40:11.450]  you can just do whatever you want with it.
[40:11.450 --> 40:14.730]  You can send it anywhere, you can buy things, whatever.
[40:14.970 --> 40:20.970]  So this is changing a lot of the economics of online fraud.
[40:21.910 --> 40:24.070]  All right, so let's actually summarize.
[40:24.990 --> 40:26.370]  What have we learned today?
[40:27.110 --> 40:29.130]  Identity is totally broken.
[40:29.530 --> 40:31.270]  Criminals behave differently.
[40:31.810 --> 40:35.070]  And when in doubt, call the dead guy.
[40:37.670 --> 40:39.610]  I hope you enjoyed the presentation
[40:39.610 --> 40:41.910]  and let's see if you have any questions.
